Web sites will be prohibited from collecting personal information from children without their parents' permission, under federal rules issued yesterday that represent the government's first broad effort to protect privacy on the Internet.
The Federal Trade Commission, acting under a law passed by Congress last year, said that as of next April 21 commercial child-oriented Web sites will need permission before collecting, using or disclosing data from the most vulnerable Internet surfers: the under-13 crowd. All sites also will be required to post privacy policies that outline what information is collected and what will be done with it.
"This is a major breakthrough in protecting the privacy of America's families," said Sen. Richard H. Bryan (D-Nev.), sponsor of the legislation.
The rule "puts parents in control over the information collected from children online, and is flexible enough to accommodate the many business practices and technological changes occurring on the Internet," said FTC Chairman Robert Pitofsky.
Cyber-entrepreneurs have a deep hunger for information about their visitors -- both to create databases they can use to more accurately target them with online ads and services, and also to create mailing lists that they can sell to other businesses.
But with no privacy cop on the beat, many Web sites are gathering data by requiring that children who want access to games or contests first disclose their names, e-mail and home addresses, family size, likes and dislikes and more. A 1998 FTC survey of 212 child-oriented Web sites found that 89 percent of them collected personal information, yet only 1 percent required parental consent.
Under the new rules, the Web sites would first ask children for their ages, and if they respond that they are under 13, the requirement for "verifiable parental consent" -- a phrase whose actual meaning is still under construction -- would kick in.
Some of the online companies pushed for mere e-mail confirmation of parental consent. Instead, the commission opted for a sliding-scale approach tied to the intended use of the information. Activities that pose the greatest risk to privacy and safety -- say, disclosing personal information to third parties, or making it publicly available in forums such as chat rooms -- will require the most reliable methods of proving consent. Those include getting parental response by postal mail, fax or toll-free telephone number, or requiring a credit card number or e-mail-verifiable "digital signature" or password.
Consent for purely internal uses of the information, such as placing ads on pages the child will see based on interests the child has expressed in surveys, could be based on e-mail so long as the company takes steps to follow up and ensure that the parent has actually granted consent. The methods will be reevaluated after two years, the FTC said.
The FTC plans to monitor sites using a new Internet Lab opened last month, and looks to consumers to inform it of infractions by calling 1-877-FTC-HELP. Violators face civil penalties, including fines of up to $11,000 per violation, with many violations potentially assessed for a single site, said FTC spokeswoman Victoria Streitfeld.
The new rule brought rare agreement between the companies that will be regulated and the advocacy groups that called for the regulations: Both sides applauded the FTC for walking a careful line between protecting kids and promoting the development of the burgeoning online medium.
"It is crucial to the growth of the Internet that the industry continue to take active steps to increase consumer confidence and deliver private-sector solutions to concerns regarding online privacy protections and safety issues in concert with government efforts," said Larry Shapiro, executive vice president, business development and operations at Disney's Buena Vista Internet Group.
"I'm glad we've reached a point where we actually have rules to protect our children's privacy," said Kathryn Montgomery, president of the Center for Media Education, a Washington-based policy group that has focused on the issue since 1996. "There are enormous forces that are pushing [online companies] toward data collection and manipulative and exploitive practices, but these rules have created some safeguards. . . . If you are going to market to children and if you're going to profit from it, there have to be some rules of the game."
Some privacy advocates warned, however, that the real proof of the rules effectiveness will come in the way companies operate under its guidelines and how carefully the government monitors them. "I am still anxious about what happens as we start to implement it. Things can look good on paper" but disappoint in practice, said Deirdre Mulligan, staff counsel for the Center for Democracy and Technology, a Washington-based high-tech policy group.
Lawmakers who supported the 1998 Child Online Privacy Protection Act said yesterday Congress now needs to pass laws for grown-ups, too.
With the passage of the new rule, "A child's allowance has greater privacy protection than their parents' financial records -- which is absurd," said Rep. Edward J. Markey (D-Mass.), who is working to implement protections in the financial services modernization bill before Congress.
Sen. Conrad Burns (R-Mont.), who is co-sponsoring the Online Privacy Protection Act, a broad-based online privacy bill, agreed. "Let's don't just stop with children," he said.